Feb 21, 2025 · Feb 16, 2025 · Feb 19, 2025 · Feb 16, 2025 · Feb 17, 2025 · Feb 17, 2025
diff --git a/cli/server.go b/cli/server.go
 }
 }

 if vals.OAuth2.Github.ClientSecret != "" {
 if vals.OAuth2.Github.ClientSecret != ""|| vals.OAuth2.Github.DeviceFlow.Value(){
 options.GithubOAuth2Config, err = configureGithubOAuth2(
 oauthInstrument,
 vals.AccessURL.Value(),
 vals.OAuth2.Github.ClientID.String(),
 vals.OAuth2.Github.ClientSecret.String(),
 vals.OAuth2.Github.DeviceFlow.Value(),
 vals.OAuth2.Github.AllowSignups.Value(),
 vals.OAuth2.Github.AllowEveryone.Value(),
 vals.OAuth2.Github.AllowedOrgs,
 return nil
 }

 // TODO: convert the argument list to a struct, it's easy to mix up the order of the arguments
 //
 //nolint:revive // Ignore flag-parameter: parameter 'allowEveryone' seems to be a control flag, avoid control coupling (revive)
 func configureGithubOAuth2(instrument *promoauth.Factory, accessURL *url.URL, clientID, clientSecret string, allowSignups, allowEveryone bool, allowOrgs []string, rawTeams []string, enterpriseBaseURL string) (*coderd.GithubOAuth2Config, error) {
 func configureGithubOAuth2(instrument *promoauth.Factory, accessURL *url.URL, clientID, clientSecret string,deviceFlow,allowSignups, allowEveryone bool, allowOrgs []string, rawTeams []string, enterpriseBaseURL string) (*coderd.GithubOAuth2Config, error) {
 redirectURL, err := accessURL.Parse("/api/v2/users/oauth2/github/callback")
 if err != nil {
 return nil, xerrors.Errorf("parse github oauth callback url: %w", err)
 return github.NewClient(client), nil
 }

 var deviceAuth *externalauth.DeviceAuth
 if deviceFlow {
 deviceAuth = &externalauth.DeviceAuth{
 Config:   instrumentedOauth,
 ClientID: clientID,
 TokenURL: endpoint.TokenURL,
 Scopes:   []string{"read:user", "read:org", "user:email"},
 CodeURL:  endpoint.DeviceAuthURL,
 }
 }

 return &coderd.GithubOAuth2Config{
 OAuth2Config:       instrumentedOauth,
 AllowSignups:       allowSignups,
 team, _, err := api.Teams.GetTeamMembershipBySlug(ctx, org, teamSlug, username)
 return team, err
 },
 DeviceFlowEnabled: deviceFlow,
 ExchangeDeviceCode: func(ctx context.Context, deviceCode string) (*oauth2.Token, error) {
 if !deviceFlow {
 return nil, xerrors.New("device flow is not enabled")
 }
 return deviceAuth.ExchangeDeviceCode(ctx, deviceCode)
 },
 AuthorizeDevice: func(ctx context.Context) (*codersdk.ExternalAuthDevice, error) {
 if !deviceFlow {
 return nil, xerrors.New("device flow is not enabled")
 }
 return deviceAuth.AuthorizeDevice(ctx)
 },
 }, nil
 }

diff --git a/coderd/coderd.go b/coderd/coderd.go
 r.Post("/validate-password", api.validateUserPassword)
 r.Post("/otp/change-password", api.postChangePasswordWithOneTimePasscode)
 r.Route("/oauth2", func(r chi.Router) {
 r.Get("/github/device", api.userOAuth2GithubDevice)
 r.Route("/github", func(r chi.Router) {
 r.Use(
 httpmw.ExtractOAuth2(options.GithubOAuth2Config, options.HTTPClient, nil),
diff --git a/coderd/httpmw/oauth2.go b/coderd/httpmw/oauth2.go

 oauthToken, err := config.Exchange(ctx, code)
 if err != nil {
 httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 Message: "Internal error exchanging Oauth code.",
 Detail:  err.Error(),
 errorCode := http.StatusInternalServerError
 detail := err.Error()
 if detail == "authorization_pending" {
 // In the device flow, the token may not be immediately
 // available. This is expected, and the client will retry.
 errorCode = http.StatusBadRequest
 }
 httpapi.Write(ctx, rw, errorCode, codersdk.Response{
 Message: "Failed exchanging Oauth code.",
 Detail:  detail,
 })
 return
 }
diff --git a/coderd/userauth.go b/coderd/userauth.go
 ListOrganizationMemberships func(ctx context.Context, client *http.Client) ([]*github.Membership, error)
 TeamMembership              func(ctx context.Context, client *http.Client, org, team, username string) (*github.Membership, error)

 DeviceFlowEnabled  bool
 ExchangeDeviceCode func(ctx context.Context, deviceCode string) (*oauth2.Token, error)
 AuthorizeDevice    func(ctx context.Context) (*codersdk.ExternalAuthDevice, error)

 AllowSignups       bool
 AllowEveryone      bool
 AllowOrganizations []string
 AllowTeams         []GithubOAuth2Team
 }

 func (c *GithubOAuth2Config) Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error) {
 if !c.DeviceFlowEnabled {
 return c.OAuth2Config.Exchange(ctx, code, opts...)
 }
 return c.ExchangeDeviceCode(ctx, code)
 }

 func (c *GithubOAuth2Config) AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string {
 if !c.DeviceFlowEnabled {
 return c.OAuth2Config.AuthCodeURL(state, opts...)
 }
 // This is an absolute path in the Coder app. The device flow is orchestrated
 // by the Coder frontend, so we need to redirect the user to the device flow page.
 return "/login/device?state=" + state
 }

 // @Summary Get authentication methods
 // @ID get-authentication-methods
 // @Security CoderSessionToken
 })
 }

 // @Summary Get Github device auth.
 // @ID get-github-device-auth
 // @Security CoderSessionToken
 // @Produce json
 // @Tags Users
 // @Success 200 {object} codersdk.ExternalAuthDevice
 // @Router /users/oauth2/github/device [get]
 func (api *API) userOAuth2GithubDevice(rw http.ResponseWriter, r *http.Request) {
 var (
 ctx               = r.Context()
 auditor           = api.Auditor.Load()
 aReq, commitAudit = audit.InitRequest[database.APIKey](rw, &audit.RequestParams{
 Audit:   *auditor,
 Log:     api.Logger,
 Request: r,
 Action:  database.AuditActionLogin,
 })
 )
 aReq.Old = database.APIKey{}
 defer commitAudit()

 if api.GithubOAuth2Config == nil {
 httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 Message: "Github OAuth2 is not enabled.",
 })
 return
 }

 if !api.GithubOAuth2Config.DeviceFlowEnabled {
 httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 Message: "Device flow is not enabled for Github OAuth2.",
 })
 return
 }

 deviceAuth, err := api.GithubOAuth2Config.AuthorizeDevice(ctx)
 if err != nil {
 httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 Message: "Failed to authorize device.",
 Detail:  err.Error(),
 })
 return
 }

 httpapi.Write(ctx, rw, http.StatusOK, deviceAuth)
 }

 // @Summary OAuth 2.0 GitHub Callback
 // @ID oauth-20-github-callback
 // @Security CoderSessionToken
 }

 redirect = uriFromURL(redirect)
 http.Redirect(rw, r, redirect, http.StatusTemporaryRedirect)
 if api.GithubOAuth2Config.DeviceFlowEnabled {
 // In the device flow, the redirect is handled client-side.
 httpapi.Write(ctx, rw, http.StatusOK, codersdk.OAuth2DeviceFlowCallbackResponse{
 RedirectURL: redirect,
 })
 } else {
 http.Redirect(rw, r, redirect, http.StatusTemporaryRedirect)
 }
 }

 type OIDCConfig struct {
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
 type OAuth2GithubConfig struct {
 ClientID          serpent.String      `json:"client_id" typescript:",notnull"`
 ClientSecret      serpent.String      `json:"client_secret" typescript:",notnull"`
 DeviceFlow        serpent.Bool        `json:"device_flow" typescript:",notnull"`
 AllowedOrgs       serpent.StringArray `json:"allowed_orgs" typescript:",notnull"`
 AllowedTeams      serpent.StringArray `json:"allowed_teams" typescript:",notnull"`
 AllowSignups      serpent.Bool        `json:"allow_signups" typescript:",notnull"`
 Annotations: serpent.Annotations{}.Mark(annotationSecretKey, "true"),
 Group:       &deploymentGroupOAuth2GitHub,
 },
 {
 Name:        "OAuth2 GitHub Device Flow",
 Description: "Enable device flow for Login with GitHub.",
 Flag:        "oauth2-github-device-flow",
 Env:         "CODER_OAUTH2_GITHUB_DEVICE_FLOW",
 Value:       &c.OAuth2.Github.DeviceFlow,
 Group:       &deploymentGroupOAuth2GitHub,
 YAML:        "deviceFlow",
 Default:     "false",
 },
 {
 Name:        "OAuth2 GitHub Allowed Orgs",
 Description: "Organizations the user must be a member of to Login with GitHub.",
diff --git a/codersdk/oauth2.go b/codersdk/oauth2.go
 }
 return nil
 }

 type OAuth2DeviceFlowCallbackResponse struct {
 RedirectURL string `json:"redirect_url"`
 }
Original file line number	Diff line number	Diff line change
Expand Up		@@ -677,12 +677,13 @@ func (r RootCmd) Server(newAPI func(context.Context, coderd.Options) (*coderd.
		}
		}

		if vals.OAuth2.Github.ClientSecret != "" {
		if vals.OAuth2.Github.ClientSecret != ""\|\| vals.OAuth2.Github.DeviceFlow.Value(){
		options.GithubOAuth2Config, err = configureGithubOAuth2(
		oauthInstrument,
		vals.AccessURL.Value(),
		vals.OAuth2.Github.ClientID.String(),
		vals.OAuth2.Github.ClientSecret.String(),
		vals.OAuth2.Github.DeviceFlow.Value(),
		vals.OAuth2.Github.AllowSignups.Value(),
		vals.OAuth2.Github.AllowEveryone.Value(),
		vals.OAuth2.Github.AllowedOrgs,
Expand DownExpand Up		@@ -1831,8 +1832,10 @@ func configureCAPool(tlsClientCAFile string, tlsConfig *tls.Config) error {
		return nil
		}

		// TODO: convert the argument list to a struct, it's easy to mix up the order of the arguments
		//
		//nolint:revive // Ignore flag-parameter: parameter 'allowEveryone' seems to be a control flag, avoid control coupling (revive)
		func configureGithubOAuth2(instrument promoauth.Factory, accessURL url.URL, clientID, clientSecret string, allowSignups, allowEveryone bool, allowOrgs []string, rawTeams []string, enterpriseBaseURL string) (*coderd.GithubOAuth2Config, error) {
		func configureGithubOAuth2(instrument promoauth.Factory, accessURL url.URL, clientID, clientSecret string,deviceFlow,allowSignups, allowEveryone bool, allowOrgs []string, rawTeams []string, enterpriseBaseURL string) (*coderd.GithubOAuth2Config, error) {
Copy link Member EmyrkFeb 19, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. We should really make these args a struct soon. Not necessary in this PR, just a ton of options that can be misorderd. Copy link ContributorAuthor hugodutkaFeb 21, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. Added a TODO
		redirectURL, err := accessURL.Parse("/api/v2/users/oauth2/github/callback")
		if err != nil {
		return nil, xerrors.Errorf("parse github oauth callback url: %w", err)
Expand DownExpand Up		@@ -1898,6 +1901,17 @@ func configureGithubOAuth2(instrument promoauth.Factory, accessURL url.URL, cl
		return github.NewClient(client), nil
		}

		var deviceAuth *externalauth.DeviceAuth
		if deviceFlow {
		deviceAuth = &externalauth.DeviceAuth{
		Config: instrumentedOauth,
		ClientID: clientID,
		TokenURL: endpoint.TokenURL,
		Scopes: []string{"read:user", "read:org", "user:email"},
		CodeURL: endpoint.DeviceAuthURL,
		}
		}

		return &coderd.GithubOAuth2Config{
		OAuth2Config: instrumentedOauth,
		AllowSignups: allowSignups,
Expand DownExpand Up		@@ -1941,6 +1955,19 @@ func configureGithubOAuth2(instrument promoauth.Factory, accessURL url.URL, cl
		team, _, err := api.Teams.GetTeamMembershipBySlug(ctx, org, teamSlug, username)
		return team, err
		},
		DeviceFlowEnabled: deviceFlow,
		ExchangeDeviceCode: func(ctx context.Context, deviceCode string) (*oauth2.Token, error) {
		if !deviceFlow {
		return nil, xerrors.New("device flow is not enabled")
		}
		return deviceAuth.ExchangeDeviceCode(ctx, deviceCode)
		},
		AuthorizeDevice: func(ctx context.Context) (*codersdk.ExternalAuthDevice, error) {
		if !deviceFlow {
		return nil, xerrors.New("device flow is not enabled")
		}
		return deviceAuth.AuthorizeDevice(ctx)
		},
		}, nil
		}

Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -1087,6 +1087,7 @@ func New(options Options) API {
		r.Post("/validate-password", api.validateUserPassword)
		r.Post("/otp/change-password", api.postChangePasswordWithOneTimePasscode)
		r.Route("/oauth2", func(r chi.Router) {
		r.Get("/github/device", api.userOAuth2GithubDevice)
		r.Route("/github", func(r chi.Router) {
		r.Use(
		httpmw.ExtractOAuth2(options.GithubOAuth2Config, options.HTTPClient, nil),
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -167,9 +167,16 @@ func ExtractOAuth2(config promoauth.OAuth2Config, client *http.Client, authURLOp

		oauthToken, err := config.Exchange(ctx, code)
		if err != nil {
		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
		Message: "Internal error exchanging Oauth code.",
		Detail: err.Error(),
		errorCode := http.StatusInternalServerError
		detail := err.Error()
		if detail == "authorization_pending" {
		// In the device flow, the token may not be immediately
		// available. This is expected, and the client will retry.
		errorCode = http.StatusBadRequest
		}
Comment on lines +172 to +176 Copy link Member EmyrkFeb 19, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. Is this error comparison correct? Comparing to the usage in the oauth lib, it is checking the`ErrorCode` field of the`RetreiveError`. Usage:https://github.com/golang/oauth2/blob/master/deviceauth.go#L189-L190 Error type:https://github.com/golang/oauth2/blob/master/token.go#L187-L198 Copy link ContributorAuthor hugodutkaFeb 21, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. We actually don't use the`DeviceAccessToken` method from the oauth lib. We have a custom implementation of ExchangeDeviceCodewhich we use for the device flow. That implementationcalls`codersdk.ReadBodyAsError` on an HTTP response it gets from GitHub, which populates the detail field with`"authorization_pending"`. I verified that the check is valid. For context, we use a custom implementation instead of the lib's`DeviceAccessToken` because the latter keeps retrying until the code is successfully exchanged. We keep the retry logic on the frontend. That way you don't have an HTTP call that hangs for what can be minutes until the user authenticates with GitHub.
		httpapi.Write(ctx, rw, errorCode, codersdk.Response{
		Message: "Failed exchanging Oauth code.",
		Detail: detail,
		})
		return
		}
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -748,12 +748,32 @@ type GithubOAuth2Config struct {
		ListOrganizationMemberships func(ctx context.Context, client http.Client) ([]github.Membership, error)
		TeamMembership func(ctx context.Context, client http.Client, org, team, username string) (github.Membership, error)

		DeviceFlowEnabled bool
		ExchangeDeviceCode func(ctx context.Context, deviceCode string) (*oauth2.Token, error)
		AuthorizeDevice func(ctx context.Context) (*codersdk.ExternalAuthDevice, error)

		AllowSignups bool
		AllowEveryone bool
		AllowOrganizations []string
		AllowTeams []GithubOAuth2Team
		}

		func (c GithubOAuth2Config) Exchange(ctx context.Context, code string, opts ...oauth2.AuthCodeOption) (oauth2.Token, error) {
		if !c.DeviceFlowEnabled {
		return c.OAuth2Config.Exchange(ctx, code, opts...)
		}
		return c.ExchangeDeviceCode(ctx, code)
		}

		func (c *GithubOAuth2Config) AuthCodeURL(state string, opts ...oauth2.AuthCodeOption) string {
		if !c.DeviceFlowEnabled {
		return c.OAuth2Config.AuthCodeURL(state, opts...)
		}
		// This is an absolute path in the Coder app. The device flow is orchestrated
		// by the Coder frontend, so we need to redirect the user to the device flow page.
		return "/login/device?state=" + state
Copy link Member EmyrkFeb 19, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. Is this a relative url to our Coder app? Not an external auth url? Can you just leave a comment that mentions this. I say that becaused`AuthCodeURL` in a regular Oauth flow is a link to an external domain. So it's not obvious imo. hugodutka reacted with thumbs up emoji
		}

		// @Summary Get authentication methods
		// @ID get-authentication-methods
		// @Security CoderSessionToken
Expand DownExpand Up		@@ -786,6 +806,53 @@ func (api API) userAuthMethods(rw http.ResponseWriter, r http.Request) {
		})
		}

		// @Summary Get Github device auth.
		// @ID get-github-device-auth
		// @Security CoderSessionToken
		// @Produce json
		// @Tags Users
		// @Success 200 {object} codersdk.ExternalAuthDevice
		// @Router /users/oauth2/github/device [get]
		func (api API) userOAuth2GithubDevice(rw http.ResponseWriter, r http.Request) {
		var (
		ctx = r.Context()
		auditor = api.Auditor.Load()
		aReq, commitAudit = audit.InitRequest[database.APIKey](rw, &audit.RequestParams{
		Audit: *auditor,
		Log: api.Logger,
		Request: r,
		Action: database.AuditActionLogin,
		})
		)
		aReq.Old = database.APIKey{}
		defer commitAudit()

		if api.GithubOAuth2Config == nil {
		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
		Message: "Github OAuth2 is not enabled.",
		})
		return
		}

		if !api.GithubOAuth2Config.DeviceFlowEnabled {
		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
		Message: "Device flow is not enabled for Github OAuth2.",
		})
		return
		}

		deviceAuth, err := api.GithubOAuth2Config.AuthorizeDevice(ctx)
		if err != nil {
		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
		Message: "Failed to authorize device.",
		Detail: err.Error(),
		})
		return
		}

		httpapi.Write(ctx, rw, http.StatusOK, deviceAuth)
		}

		// @Summary OAuth 2.0 GitHub Callback
		// @ID oauth-20-github-callback
		// @Security CoderSessionToken
Expand DownExpand Up		@@ -1016,7 +1083,14 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {
		}

		redirect = uriFromURL(redirect)
		http.Redirect(rw, r, redirect, http.StatusTemporaryRedirect)
		if api.GithubOAuth2Config.DeviceFlowEnabled {
		// In the device flow, the redirect is handled client-side.
		httpapi.Write(ctx, rw, http.StatusOK, codersdk.OAuth2DeviceFlowCallbackResponse{
		RedirectURL: redirect,
		})
Comment on lines +1087 to +1090 Copy link Member EmyrkFeb 19, 2025 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. 👍
		} else {
		http.Redirect(rw, r, redirect, http.StatusTemporaryRedirect)
		}
		}

		type OIDCConfig struct {
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -505,6 +505,7 @@ type OAuth2Config struct {
		type OAuth2GithubConfig struct {
		ClientID serpent.String `json:"client_id" typescript:",notnull"`
		ClientSecret serpent.String `json:"client_secret" typescript:",notnull"`
		DeviceFlow serpent.Bool `json:"device_flow" typescript:",notnull"`
		AllowedOrgs serpent.StringArray `json:"allowed_orgs" typescript:",notnull"`
		AllowedTeams serpent.StringArray `json:"allowed_teams" typescript:",notnull"`
		AllowSignups serpent.Bool `json:"allow_signups" typescript:",notnull"`
Expand DownExpand Up		@@ -1572,6 +1573,16 @@ func (c *DeploymentValues) Options() serpent.OptionSet {
		Annotations: serpent.Annotations{}.Mark(annotationSecretKey, "true"),
		Group: &deploymentGroupOAuth2GitHub,
		},
		{
		Name: "OAuth2 GitHub Device Flow",
		Description: "Enable device flow for Login with GitHub.",
		Flag: "oauth2-github-device-flow",
		Env: "CODER_OAUTH2_GITHUB_DEVICE_FLOW",
		Value: &c.OAuth2.Github.DeviceFlow,
		Group: &deploymentGroupOAuth2GitHub,
		YAML: "deviceFlow",
		Default: "false",
		},
		{
		Name: "OAuth2 GitHub Allowed Orgs",
		Description: "Organizations the user must be a member of to Login with GitHub.",
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -227,3 +227,7 @@ func (c *Client) RevokeOAuth2ProviderApp(ctx context.Context, appID uuid.UUID) e
		}
		return nil
		}

		type OAuth2DeviceFlowCallbackResponse struct {
		RedirectURL string `json:"redirect_url"`
		}